Apache Error Logs Not Parsing Correctly

I'm not able to parse the apache error logs. I keep getting these errors:
[0] "_grokparsefailure"
which means that there's an error in parsing the logs.

Apache Error Logs
[Wed Aug 17 20:00:00.661037 2022] [proxy:error] [pid 36621:tid 139697636505344] (111)Connection refused: AH00957: HCTCP: attempt to connect to (myserver.gc.ca) failed

In the patterns.d file, I have this

APACHE_ERROR_LOG \[%{APACHE_ERROR_TIME:timestamp}\] \[%{WORD:source}:%{LOGLEVEL:loglevel}\] \[pid %{NUMBER:pid}:tid %{NUMBER:tid}\] (?:\[client %{IPORHOST:clientip}:%{POSINT:port}\] ){0,1}%{GREEDYDATA:errormsg}

In my apache-error-log.conf file, I have this:

    grok {
         patterns_dir => [ "/opt/logstash/patterns.d" ]
         match => { "message" => "%{APACHE_ERROR_LOG}" }

I have no idea why I'm getting this "_grokparsefailure" error. Would anyone know where I might have gone wrong?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.